Thursday, February 10, 2011

AntiVira Av is a rogue anti-virus program that demands money to clean up the non-existent infections. It uses malware to advertise and install itself. Usually, users get scary pop-ups that look just like legitimate security warnings while surfing the web. Cyber-criminals rely of fear tactics to dupe users into installing AntiVira Av. Spam is also an easy way to advertise rogue security software. Once installed, this fake anti-virus tries to convince you that computer is at risk or infected with spyware, Trojans and other malicious software. Anti Vira Av disables legitimate security software and blocks malware removal tools saying that they are infected. The rogue program hijacks Internet Explorer. It displays fake security warnings and notifications about critical system infections and dangerous attack from a remote computer. These alerts are all fake, of course. AntiVira Av pressures you to purchase software that actually won't protect you and won't remove threats from your PC. Hopefully, you can use real anti-malware applications to remove AntiVira Av and related malware from your computer. We've got the removal instructions to help you to remove this scareware for free. Please follow the steps in the removal guide below.

AntiVira Av is a copy of Antivirus .NET. It changes LAN settings and configures your computer to use a proxy server that displays a fake security warning instead of requested website. The rogue program will also randomly open web pages containing explicit/adult content.

Here are some of the fake security alerts that you will probably see if your computer gets infected with AntiVira Av:

Antivirus software alert. Virus attack!Your computer is being attacked by an internet virus. It could be a password-stealing attack, a trojan-dropper or similar.Threat: Win32/Nuqel.EDo you want to block this attack?

When the rogue terminates the program it displays the following error message:

Security AlertVirus Alert!Application can't be started! The file [program_name].exe is damaged. Do you want to activate your antivirus software now?

AntiVira Av related websites: poprog.net, shopllbo.com. The fake av redirects users to one of these websites to purchase a license of AntiVira Av. As you can see, there are three versions of this malware: AntiVira Av Limited, AntiVira Av Plus and AntiVira Av Full. Thesafepc.com is also related to this fraud.

Antivira Av runs from your Temp folder. It's a single, randomly named file in a randomly named folder. In order to remove this rogue security from your computer you will have to restart your computer in safe mode with networking, disable a proxy server and download malware removal tool. For more information, please follow the removal instructions below. If you do get duped into installing this rogue program, don't panic. And do not hand over any money. If you have already purchased it, please contact your credit card company and dispute the charges. If you need help removing Antivira Av, please a comment. Look out for this piece of malware. Good luck and be safe online!

AntiVira Av removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm

NOTE:Login as the same user you were previously logged in with in the normal Windows mode.

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe, explorer.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe, explorer.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.

52
comments:

Anonymous
said...

This info was vitally helpful. In iexplore, I could not find the R1 entry, but I found an unusual O4 entry and deleted it, ending all my Anti Vira AV problems. When I opened Google Chrome again, it told me that it was forced to go through a proxy that no longer existed, and so I had to uncheck a box in the LAN networking settings to make it work. After that, though, everything was back to normal.

I Would like to thank you for getting me out of a (Pardon my Language) Fuckload of a Jam, this really helped me, if i knew who you were i would reward you with A cookie, but i dont, Thank you sir. thank you.

hey thanks to this web site and also to the person who posted before me, i got rid of it with the highjack but it still shut down my proxy settings fot explorer etc, i read the post above and checked my LAN settings and sure enough that was it, cheers

Thank you so much for posting "How to Remove AntiVira Av (Uninstall Guide)". I followed every step & when one method did not seem to resolve the problem right away, I used the alternatives you provided (thanks to the other posts too for giving me that idea)! Since the virus affected my internet, I used my really smart blackberry to find your blog on the web & download the executables for the fixes. Saved them to my phone's media card & popped it right into my pc's card reader slot! So far so great in terms of getting rid of that virus! I have small children that frequently use the computer, I could not take the chance of having the adult content websites constantly pop up! Again, thank you SO MUCH for taking the time to post the details & snapshots of this P-I-T-A virus & great instructions on how to hijack it!! :-)

i had to come back and give my appreciation to whoever created this post THANK YOU THANK YOU THANK YOU!!!! i can not say that enough...these stupid things get us everytime and i am so appreciative to people like you who provide us computer novices with advice...i used ur advice and it worked on the first time!!! once again thank you eternally...i only wish we could say thank you in person!

Thank you so much! I just got this really annoying malware from out of the blue on my Windows XP desktop, and it got really frustrating. Luckily, I had a laptop available, where I was able to find this thread and download the suggestions to a USB drive. I tried MalwareBytes first, but antivira av blocked that, so instead of worrying about renaming or safe mode, I just jumped to HijackThis, which worked like a charm. I found the R1 and the O4, just like the post said, and one easy "fix this" button later, I'm back to normal, with no more problems to report!!

I work for a school district and one of our PC's just got infected a few days ago and several people tried to fix it with no avail. After trying the alternate method mentioned above, it worked! Thank you for posting such good info on here. I definitely will be on here more often. Thanks again!

AntiVira Av removal instructions (in Safe Mode with Networking) using the SUPERAntiSpyware worked for my computer. Thank you very much. Excellent post.I almost paid money to these Antivira crooks to buy their protection. They are like thugs who ask protection money from stores/people to protect from them. Thank you for your blog. You rock! Keep up the good work.

I would add a little comment myself. To identify this: [SET OF RANDOM CHARACTERS] in %Temp% folderI suggest you find this:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"in registry. the "Data" field shows the location of the file (../Temp/[SET OF RANDOM CHARACTERS]/[AN OTHER SET OF RANDOM CHARACTERS].exe)

I would like to applaud you for this fix, I am sure that I am not the only one that found your instructions and recommendations so simple to follow. I will be recommending your website to all my mates and work colleagues, wish you guys all the best and MANY THANKS!!!!!!! Cheers SUBEDO STI

Thanks for the info on this I knew what it was when I saw it, but could not access my anti-malware program. Threw into safe mode ran my anti-malware, then restarted my laptop, AVG popped up and took care of the trojans, then restarted and reset my Firefox to no proxy servers and its working. Thanks again for the advice.

Awesome work in getting all this together. This was one of the most frustrating viruses I have ever come across and this article has the best information on how to get rid of it. God bless and thanks again.

Thanks so much. Your blog is so helpful. I got antivira sometime today. I don't know how and was silently freaking out as my antivirus/security suite did nothing to protect me from it. I followed your steps and had no problem in safe mode. I removed it with MBAM. I did use hijack this to double check, and I also used superantispyware to double check because I just wanted to make sure it was gone.

This is how I did it, without safemode, since I use a usb kb and cannot press f8. As windows is starting up, b4 antivira AV can load, I press alt+crtl+del and opened task manager (thank god my pcs a dinosaur and things take forever to load on startup), then I ended the gibberish process bthaghdjs or something. Thank god I was able to load mozilla and search for this, as it only hijacked IE8, so I was able to fix the proxy setting thing, although I'd have found this eventually (using frd comp or just through my IQ). I already have spybot, so I deleted the startup file, using its tool. From now on I'm keeping the teatimer running no matter how slow it makes my startup lol!

Thank you! I used Malwarebytes Ant-Malware freeware to remove the virus, then had to reset the LAN settings back to auto detect from "use proxy server" in order to be IE8 to work again. I was not able to get my AVG anti-virus program to detect the virus - even when I ran the scan in Safe Mode. The Malwarebytes freeware, however, did a great job. Thanks again for the super instructions!!!

Is there anyone who can walk me through this- I am REALLY not good with computers and find even the steps above confusing. I mean, I got to the point of unchecking the proxy server box... But how am I supposed to download anything if I can't access the Internet!?! I'm so confused and frustrated. Am I going to have to pay for something to get this removed from my computer? Please, if someone could send some kind of instructions- like the ones you'd give your 97 year old great grandmother to zakarts8@yahoo.com I'd be grateful forever. I'll never figure this out myself.

I appreciate you taking the time to post this info. Using your instructions and SpyBot, I was able finally get rid of this scareware. I feel sorry for the people with limited computer knowledge that will have this issue..like my parents. A big FU to all the programmers creating this sh*te..truly worthless human beings.

THANK YOUUUUUUU!!!!!!!!! i was a bit suspicious when i read your instructions for some reason, but I must join the band of THANK YOUs!!!!!! you have saved my butt and you don't even know it! thank you AGAIN!!!! :D

Thank You!! If I every meet the person who created AntiVira Av and/or the person who infected my daughter's computer with this garbage, I will hurt them. Not in a nice way, like when terrorist torture someone, I will hurt the person bad, real bad.

Blog Archive

Blogroll

Rate This Blog or Leave a Review

About Me

Hi there, and welcome to my humble web presence. I'm Michael Kaur. Malware squasher, geek, and blogger based in Los Angeles, CA. If you'd like to contact me, the easiest way is through email given below or Google+. Simply add me to your Google Plus circles.

DisclaimerThis is a self-help guide. Use at your own risk. Deletemalware.blogspot.com can not be held responsible for problems that may occur by using this information.

About the blogThis blog provides reliable information about the latest computer security threats including spyware, adware, browser hijackers, Trojans and other malicious software. We do NOT host or promote any malware (malicious software). We just want to draw your attention to the latest viruses, infections and other malware-related issues. The mission of this blog is to inform people about already existing and newly discovered security threats and to provide assistance in resolving computer problems caused by malware.